Security Experts:

Symantec's 'Honey Stick' Experiment Shows What Happens to Lost Smartphones

What Happens to Lost Smartphones?

"Honey Stick Project" Exposes Risk from Lost Smartphones

In order to get a look at what happens when a smartphone containing sensitive corporate information is lost, Symantec loaded 50 phones with tracking software and fake “sensitive” information, and then scattered the devices across multiple cities in North America.

The test, called the Honey Stick Project, was designed to see what really happens when a smartphone is lost and collected by someone other than the owner.

Once the mobile devices were loaded with the simulated personal and corporate data, Symantec dropped the 50 fully-charged smartphones in five different cities: New York City; Washington D.C.; Los Angeles; San Francisco; and Ottawa, Canada. The devices were intentionally "lost" in different types of locations including elevators, malls, food courts, public transit stops and other heavily trafficked, publicly accessible locations.

With the remote monitoring software installed, it wasn’t long before the phones started to move. Tracking showed that 96-percent of the devices were accessed once found, and 70-percent of them were accessed for personal and business related applications and information. Less than half of the people who located the intentionally lost devices attempted to locate the owner. Interestingly enough, only two phones were left unaccounted for, the others were all found.

It seems like it’s hard to trust your fellow man these days, and that was exactly the point Symantec was looking for.

Going further, of the devices located, 45-percent of them reported that there was an attempt to read corporate email, and the remote admin application was accessed 49-percent of the time. A file named “saved passwords” was also one of the top selections, with a 57-percent access rate. Access to social networking accounts and personal email were each attempted on over 60 percent of the devices.

Additionally, 66 percent of the devices showed attempts to click through the login or password reset screens (where a login page was presented with username and password fields that were pre-filled, suggesting that the account could be accessed by simply clicking on the “login” button) .

In all, the average time spent accessing the “found” phones was just over 10 hours.

On Demand Webcast: Protecting Corporate Data in Mobile Apps

“The goal of this research is to show what smartphone users should expect to happen on their phones if they are lost and then found by a stranger. In today’s world, both consumers and corporations need to be concerned with protecting the sensitive information on mobile devices,” the report on the experiment explains.

“While devices can be replaced, the information stored and accessed on them is at risk unless users and businesses take precautions to protect it.”

While this type of public domain experiment is certainly interesting, Symantec reminds that projects like this are by no means perfect. "In particular, logging of the apps depends on the device having Internet access," the summary notes. "Therefore, if a finder manipulates the device in a certain way, it is possible that no data will be recorded. This situation would result in an under-reporting of access frequency. Conversely, the most significant over-reporting error would be an individual who was aware of the intent of the study, and performed repeated accesses as a way to manipulate the results to be more significant than would normally happen."

More information about the Honey Stick experiment is on Symantec’s blog. The full report (PDF) is available here.

On Demand Webcast: Protecting Corporate Data in Mobile Apps

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.